- Twitter lifts ‘permanent’ suspension of activist Barrett Brown Monday 5:52 PM
- Billie Eilish fans fend off objectifying comments on tank top photo Monday 5:32 PM
- Groom’s mother sabotages wedding by tricking guests into wearing jorts and hoodies Monday 4:39 PM
- No one believes Bill de Blasio’s son sent him these debate prep texts Monday 3:26 PM
- Meek Mill, Jay-Z to release ‘Free Meek’ documentary on Amazon Prime Monday 3:20 PM
- 3 ways to secure your Nest cameras Monday 3:15 PM
- This Pokémon generator site is creating hilarious monsters Monday 2:48 PM
- MrBeast impersonator tricks kid into destroying his XBox Monday 12:50 PM
- This mom has the perfect nickname for her nonbinary kid Monday 12:25 PM
- Netflix tests pop-out player that will allow viewers to multitask Monday 11:44 AM
- Man allowed to sue media publishers over readers’ Facebook comments Monday 11:42 AM
- Republicans slammed for joke about ‘heavily armed militia’ at Oregon statehouse Monday 11:30 AM
- New bill wants tech companies to tell you how much your data is worth Monday 10:53 AM
- AOC has the best response to Steve King’s ‘concentration camp’ criticism Monday 10:19 AM
- Did Jake Paul and Tana Mongeau just get engaged? Monday 9:26 AM
Security researcher publishes 10 million passwords despite fear of FBI
This is the state of cybersecurity research now.
For whatever reason, people on the Internet still have trouble creating secure passwords. To better understand how and why people choose the passwords and usernames they do, one security researcher is releasing a massive trove of data in an effort to improve password security.
Mark Burnett released 10 million passwords on Monday. He collected the data from publicly available datasets leaked in the last decade by blackhat attackers. Burnett removed the identifying factors such as the domain portion of the email address.
He believes the combinations are “dead passwords,” meaning they are effectively useless to hackers or anyone trying to use them for fraudulent purposes.
Although Burnett collected and released this data exclusively for research purposes to better understand human behavior, he couched the release heavily, writing at length about why he shouldn’t be arrested by the FBI.
Burnett’s concerns stem from the aggressive prosecution of journalist Barrett Brown, who was charged with, among other things, sharing a link to data that included email addresses and credit card information. Brown’s arrest and prosecution led some journalists, activists, and security researchers to step down from their posts for fear of arrest based on similar charges.
Additionally, the Obama administration has proposed changes to the Computer Fraud and Abuse Act, which for now protects the release of data like the 10 million passwords Burnett posted this week, thanks to the researcher’s purpose of doing so without the intent to cause harm. If the changes are implemented, however, it could cause further problems for journalists and security researchers.
For now the laws are on my side because there has to be intent to commit or facilitate a crime. However, the White House has proposed some disturbing changes to the Computer Fraud and Abuse act that will make things much worse. Of particular note is 18 U.S.C. § 1030. (a)(6):
(6) knowingly and
with intent to defraudwillfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;
By removing “intent to defraud,” the government would make it much easier to prosecute people that share information like the passwords Burnett released. Even data shared for educational purposes.
For now, Burnett seems to be in the clear. One programmer has already made a Twitter bot to tweet out the combinations.
You shouldn’t be concerned whether your old username or password is on this list. Malicious attackers will be unable to do anything with it. But you should be concerned by the chilling effects placed on people like Burnett, in the wake of increased cybersecurity scrutiny and persecution.
For now, at least, researchers can better understand what makes us pick certain passwords thanks to this data—and try and make the Internet a little more secure.
Photo and illustration by Max Fleishman
Selena Larson is a technology reporter based in San Francisco who writes about the intersection of technology and culture. Her work explores new technologies and the way they impact industries, human behavior, and security and privacy. Since leaving the Daily Dot, she's reported for CNN Money and done technical writing for cybersecurity firm Dragos.